vulnerability landscape framework... · 2020. 2. 23. · include normalized view of documents as...
TRANSCRIPT
1
2
● In 2006 the patches for client-side vulnerabilities overcame other categories in Microsoft software.
● In 2010, Symantec’s GlobalInternet Security Threat Report indicated that over93% vulnerabilities exploited worldwide are now client-side
Vulnerability Landscape
Source: http://www.symantec.com
3
● Client-side attacks have special properties compared to traditional server-side attacks▸ Extremely complex structures for document formats
▸ Embedding of interpreters and scripting languages
▸ Embedding of arbitrary formats within other container formats
▸ Obfuscation techniques▸ Multiple delivery channels for the same vulnerability
Protecting the Client
4
● Intrusion prevention platforms are evaluated by market analysis firms according to two criteria▸ Throughput
▸ Coverage
● A key term in modern IPS is deep packet inspection but implementation is practically limited by the main two evaluation criteria
● A supplemental system is required to defend against client side attacks
Network Intrusion Prevention Systems
5
● Razorback is a distributed data collection and analysis framework
● Modular architecture allows for collection and analysis modules to be distributed over a network in arbitrary configurations▸ Retrieval of data over the wire or from server
software after delivery
▸ Analysis of complex file formats distributed over a server farm
Razorback Framework
6
● A collection of elements working together
● Each element performs a discrete task
● Elements are tied together via the Dispatcher
● Nugget types:
Razorback Framework
Correlation Defense Update Workstation
Data Collection Data Detection/Analysis Output Intelligence
7
Razorback Framework Architecture
DispatcherDispatcher
Collection Nugget
Collection Nugget Detection
NuggetDetection NuggetDetection
NuggetDetection NuggetDetection
NuggetsDetection Nuggets
DatabaseDatabase
Output NuggetOutput NuggetOutput NuggetOutput Nugget
Output NuggetsOutput Nuggets
Collection Nugget
Collection NuggetCollection
NuggetsCollection Nuggets
Other Types of Nuggets
8
Database
● Configuration information
● Event information
● Contextual information
● Metadata
● Provides a wealth of information for correlating events and activities
9
Nuggets
● Dispatcher Registration▸ Types of data handled
▸ Types of output generated
● UUIDs▸ Identifier of nuggets▸ Type of nugget▸ Types of data handled and/or provided▸ Allows for easy addition and removal of elements
10
Nugget Registration
DispatcherDispatcher
Detection Nugget
Detection Nugget
Detection Nugget
Detection Nugget
Collection Nugget
Collection Nugget
Output NuggetOutput Nugget
11
Collection Nugget
● Capture data▸ From the network
▸ From a network device directly
▸ From log files
● Contact dispatcher for handling▸ Has this data been evaluated before?▸ Send the data to the Dispatcher
12
● Snort-as-a-Collector (SaaC)▸ SMTP mail stream capture
▸ Web capture
▸ DNS capture
● Custom post-mortem debugger▸ Traps applications as they crash▸ Sends the file that triggered the crash to Dispatcher▸ Sends the metadata of the crash to the Dispatcher
Collection Nuggets
13
Detection Nugget
● Handles incoming data from Collection Nuggets
● Splits incoming data into logical sub-blocks▸ Requests additional processing of sub-blocks
● Provides alerting feedback to the Dispatcher
14
Detection Nuggets
● Zynamics PDF Dissector▸ Deobfuscation and normalization of objects
▸ Target known JavaScript attacks
● JavaScript Analyzer (w/ Zynamics)▸ Search for shellcode in unescaped blocks▸ Look for heap spray▸ Look for obvious obfuscation possibilities
www.zynamics.com/dissector.html
15
Detection Nuggets
● Shellcode Analyzer (w/ libemu)▸ Detection and execution of shellcode
▸ Look for code blocks that unwrap shellcode
▸ Win32 api hooking● Determine the function call● Capture the arguments
▸ Provide alerts that include shellcode action
libemu.carnivore.it
16
Detection Nuggets
● Office Cat Nugget▸ Full Office file parsing
▸ Vuln-centric detection against known threats
● SWF Nugget▸ Decompresses and analyzes flash
▸ Detects known flash threats
17
Detection Nuggets
● ClamAV Nugget▸ Analyze any format
▸ Signature- and pattern-based detection
▸ Updatable signature DB
▸ Can further serve as a collector
▸ Can issue defense updates
18
Output Nugget
● Receives alert notification from Dispatcher
● If alert is of a handled type, additional information is requested:▸ Short Data▸ Long Data▸ Complete Data Block▸ Normalized Data Block
● Sends output data to relevant system
19
Output Nuggets
● Deep Alerting System▸ Provide full logging output of all alerts
▸ Write out each component block
▸ Include normalized view of documents as well
● Maltego Interface▸ Provide data transformations targeting the
Razorback database
www.paterva.com
20
Analysis Nuggets
● Intelligence Nugget ▸ Generate metadata for correlation
● Correlation Nugget ▸ Compare results of various intelligence nuggets
21
Defense Update Nugget
● Receives update instructions from dispatcher
● Performs dynamic updates of network device(s)
● Update multiple devices
● Update multiple devices of different types!
● Notifies dispatcher of defense update actions
22
Workstation Nugget
● Authenticates on a per-analyst basis
● Provides analyst with ability to:▸ Manage nugget components
▸ Manage alerts and events● Consolidate events● Add custom notes● Set review flags● Delete events
▸ Review system logs
23
Dispatcher Operation
DispatcherDispatcher
Detection Nugget
Detection Nugget
Javascript Analysis
PDF Analysis
DatabaseDatabase
Alert/Event data
Collected data
Detection results
Embedded sub-component data
Embedded sub-component dataDetection results
1
2
4
3
Detection Nugget
Detection Nugget
24
DEMO
25
26
27
28
29
30
Contact
● Richard Johnson▸ [email protected]
▸ @richinseattle
▸ http://rjohnson.uninformed.org
● Sourcefire VRT▸ labs.snort.org▸ vrt-sourcefire.blogspot.com▸ @VRT_Sourcefire
Razorback Team:Alex KambisAlex KirkAlain ZidouembaChristopher McBeeKevin MiklavcicLurene GrenierMatt OlneyMatt WatchinskiNigel HoughtonPatrick MullenRyan PentneySojeong Hong